Bug 419140

Summary: Crash on exit with the new Resources branch
Product: [Applications] krita Reporter: amyspark <amy>
Component: Resource ManagementAssignee: amyspark <amy>
Status: RESOLVED FIXED    
Severity: crash CC: griffinvalley, halla
Priority: NOR    
Version: git master (please specify the git hash!)   
Target Milestone: ---   
Platform: Compiled Sources   
OS: Microsoft Windows   
Latest Commit: Version Fixed In:

Description amyspark 2020-03-23 13:14:50 UTC
SUMMARY
A Windows x64 build of the latest master (cedb1ff3f0de9911c3b6bb5a26d27ba001aa694b) crashes on exit with the following backtrace.

STEPS TO REPRODUCE
1. Compile and run Krita.
2. Exit.

OBSERVED RESULT

#0  0x00007ffa96c3c04a in KoResourceServer<KoColorSet>::~KoResourceServer (this=0x1542f970, __in_chrg=<optimized out>) at C:/krita-win/src/libs/resources/KoResourceServer.h:84
#1  KoResourceServer<KoColorSet>::~KoResourceServer (this=0x1542f970, __in_chrg=<optimized out>) at C:/krita-win/src/libs/resources/KoResourceServer.h:86
#2  KoResourceServerProvider::~KoResourceServerProvider (this=0x7ffa96ccc330 <_ZZN12_GLOBAL__N_116Q_QGS_s_instance13innerFunctionEvE6holder>, __in_chrg=<optimized out>) at C:\krita-win\src\libs\widgets\KoResourceServerProvider.cpp:134
#3  0x00007ffa96c3c5a0 in (anonymous namespace)::Q_QGS_s_instance::Holder::~Holder (this=0x7ffa96ccc330 <_ZZN12_GLOBAL__N_116Q_QGS_s_instance13innerFunctionEvE6holder>, __in_chrg=<optimized out>) at C:\krita-win\src\libs\widgets\KoResourceServerProvider.cpp:141
#4  __tcf_0 () at C:\krita-win\src\libs\widgets\KoResourceServerProvider.cpp:141
#5  0x00007ffa96c780a4 in _execute_onexit_table () from C:\krita-win\i\bin\libkritawidgets.dll
#6  0x00007ffa96c11171 in _CRT_INIT () from C:\krita-win\i\bin\libkritawidgets.dll
#7  0x00007ffa96c11258 in __DllMainCRTStartup () from C:\krita-win\i\bin\libkritawidgets.dll
#8  0x00007ffb154850a1 in ntdll!RtlActivateActivationContextUnsafeFast () from C:\WINDOWS\SYSTEM32\ntdll.dll
#9  0x00007ffb154cab02 in ntdll!LdrShutdownProcess () from C:\WINDOWS\SYSTEM32\ntdll.dll
#10 0x00007ffb154ca9ad in ntdll!RtlExitUserProcess () from C:\WINDOWS\SYSTEM32\ntdll.dll
#11 0x00007ffb14adcd8a in KERNEL32!FatalExit () from C:\WINDOWS\System32\kernel32.dll
#12 0x00007ffb1505a245 in msvcrt!_exit () from C:\WINDOWS\System32\msvcrt.dll
#13 0x00007ffb1505a8b5 in msvcrt!_initterm_e () from C:\WINDOWS\System32\msvcrt.dll
#14 0x00000001400014a5 in __tmainCRTStartup ()
#15 0x00000001400014cb in WinMainCRTStartup ()

EXPECTED RESULT
Krita exiting successfully.

SOFTWARE/OS VERSIONS
Windows: Windows 10 1903 (18362.720)
macOS: N/A
Linux/KDE Plasma: N/A
(available in About System)
KDE Plasma Version: N/A
KDE Frameworks Version: 5.64
Qt Version: 5.12.7

ADDITIONAL INFORMATION
Dependencies compiled using the build.cmd script.
Comment 1 Halla Rempt 2020-03-24 12:26:01 UTC
Curious, I just built Krita on my Windows laptop, and I don't get this crash...
Comment 2 amyspark 2020-03-24 17:39:48 UTC
Compiled Krita master from scratch again (including deps) and this is what I get.

-exec bt
#0  0x00007ff88e15c04a in KoResourceServer<KoColorSet>::~KoResourceServer (this=0x159d5b20, __in_chrg=<optimized out>) at C:/krita-win/src/libs/resources/KoResourceServer.h:84
#1  KoResourceServer<KoColorSet>::~KoResourceServer (this=0x159d5b20, __in_chrg=<optimized out>) at C:/krita-win/src/libs/resources/KoResourceServer.h:86
#2  KoResourceServerProvider::~KoResourceServerProvider (this=0x7ff88e1ec330 <_ZZN12_GLOBAL__N_116Q_QGS_s_instance13innerFunctionEvE6holder>, __in_chrg=<optimized out>) at C:\krita-win\src\libs\widgets\KoResourceServerProvider.cpp:134
#3  0x00007ff88e15c5a0 in (anonymous namespace)::Q_QGS_s_instance::Holder::~Holder (this=0x7ff88e1ec330 <_ZZN12_GLOBAL__N_116Q_QGS_s_instance13innerFunctionEvE6holder>, __in_chrg=<optimized out>) at C:\krita-win\src\libs\widgets\KoResourceServerProvider.cpp:141
#4  __tcf_0 () at C:\krita-win\src\libs\widgets\KoResourceServerProvider.cpp:141
#5  0x00007ff88e1980a4 in _execute_onexit_table () from C:\krita-win\i\bin\libkritawidgets.dll
#6  0x00007ff88e131171 in _CRT_INIT () from C:\krita-win\i\bin\libkritawidgets.dll
#7  0x00007ff88e131258 in __DllMainCRTStartup () from C:\krita-win\i\bin\libkritawidgets.dll
#8  0x00007ff9002c50a1 in ntdll!RtlActivateActivationContextUnsafeFast () from C:\WINDOWS\SYSTEM32\ntdll.dll
#9  0x00007ff90030ab02 in ntdll!LdrShutdownProcess () from C:\WINDOWS\SYSTEM32\ntdll.dll
#10 0x00007ff90030a9ad in ntdll!RtlExitUserProcess () from C:\WINDOWS\SYSTEM32\ntdll.dll
#11 0x00007ff8ffb5cd8a in KERNEL32!FatalExit () from C:\WINDOWS\System32\kernel32.dll
#12 0x00007ff8fe9da245 in msvcrt!_exit () from C:\WINDOWS\System32\msvcrt.dll
#13 0x00007ff8fe9da8b5 in msvcrt!_initterm_e () from C:\WINDOWS\System32\msvcrt.dll
#14 0x00000001400014a5 in __tmainCRTStartup ()
#15 0x00000001400014cb in WinMainCRTStartup ()
Comment 3 wolthera 2020-04-24 13:03:02 UTC
I too have crashes on close:


Application: krita (krita), signal: Aborted
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[Current thread is 1 (Thread 0x7fd9f022dd40 (LWP 10504))]

Thread 3 (Thread 0x7fd9939b0700 (LWP 10671)):
#0  0x00007fd9ea7c30b4 in __GI___libc_read (fd=32, buf=0x7fd9939afb90, nbytes=16) at ../sysdeps/unix/sysv/linux/read.c:27
#1  0x00007fd9e1e3a2b0 in ?? () from /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#2  0x00007fd9e1df50b7 in g_main_context_check () from /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#3  0x00007fd9e1df5570 in ?? () from /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#4  0x00007fd9e1df56dc in g_main_context_iteration () from /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#5  0x00007fd9eb3460db in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#6  0x00007fd9eb2e563a in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#7  0x00007fd9eb0f6317 in QThread::exec() () from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#8  0x00007fd9eb0f77ec in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#9  0x00007fd9e36f36db in start_thread (arg=0x7fd9939b0700) at pthread_create.c:463
#10 0x00007fd9ea7d488f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Thread 2 (Thread 0x7fd9c5020700 (LWP 10520)):
#0  0x00007fd9e1e3b644 in g_mutex_unlock () from /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#1  0x00007fd9e1df55be in ?? () from /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#2  0x00007fd9e1df56dc in g_main_context_iteration () from /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#3  0x00007fd9eb3460db in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#4  0x00007fd9eb2e563a in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#5  0x00007fd9eb0f6317 in QThread::exec() () from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#6  0x00007fd9e0dfc555 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5DBus.so.5
#7  0x00007fd9eb0f77ec in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#8  0x00007fd9e36f36db in start_thread (arg=0x7fd9c5020700) at pthread_create.c:463
#9  0x00007fd9ea7d488f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Thread 1 (Thread 0x7fd9f022dd40 (LWP 10504)):
[KCrash Handler]
#6  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#7  0x00007fd9ea6f3801 in __GI_abort () at abort.c:79
#8  0x00007fd9ead48957 in ?? () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
#9  0x00007fd9ead4eae6 in ?? () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
#10 0x00007fd9ead4eb21 in std::terminate() () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
#11 0x00007fd9ead4f8ff in __cxa_pure_virtual () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
#12 0x00007fd9e8d59ae5 in KoResourceServer<KoColorSet>::~KoResourceServer (this=0x5598e56fa520, __in_chrg=<optimized out>) at /home/wolthera/krita/src/libs/resources/KoResourceServer.h:84
#13 0x00007fd9e8d59b78 in KoResourceServer<KoColorSet>::~KoResourceServer (this=0x5598e56fa520, __in_chrg=<optimized out>) at /home/wolthera/krita/src/libs/resources/KoResourceServer.h:86
#14 0x00007fd9e8d56e6d in KoResourceServerProvider::~KoResourceServerProvider (this=0x7fd9e904d5a0 <_ZZN12_GLOBAL__N_116Q_QGS_s_instance13innerFunctionEvE6holder>, __in_chrg=<optimized out>) at /home/wolthera/krita/src/libs/widgets/KoResourceServerProvider.cpp:134
#15 0x00007fd9e8d56fbe in (anonymous namespace)::Q_QGS_s_instance::Holder::~Holder (this=0x7fd9e904d5a0 <_ZZN12_GLOBAL__N_116Q_QGS_s_instance13innerFunctionEvE6holder>, __in_chrg=<optimized out>) at /home/wolthera/krita/src/libs/widgets/KoResourceServerProvider.cpp:141
#16 0x00007fd9ea6f6041 in __run_exit_handlers (status=0, listp=0x7fd9eaa9e718 <__exit_funcs>, run_list_atexit=run_list_atexit@entry=true, run_dtors=run_dtors@entry=true) at exit.c:108
#17 0x00007fd9ea6f613a in __GI_exit (status=<optimized out>) at exit.c:139
#18 0x00007fd9ea6d4b9e in __libc_start_main (main=0x5598dc0ddd5f <main(int, char**)>, argc=1, argv=0x7ffe991f5838, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffe991f5828) at ../csu/libc-start.c:344
#19 0x00005598dc0ddaaa in _start ()
Comment 4 amyspark 2020-06-25 01:15:57 UTC
I was playing today with Krita, and I managed to trace this to an use-after-free condition in the resource server.

The only place that observes it is the palette docker. In Windows, the main window is destroyed before the resource server, bringing the docker down with her; see below for the stacktrace of PaletteDockerDock::~PaletteDockerDock.

The dock doesn't remove itself from the observer, unlike every other widget that uses this functionality. Thus, when the server is destroyed, it attempts to dereference a long dead object.

I wonder why this happens only with debuggable builds, though?

#0  PaletteDockerDock::~PaletteDockerDock (this=0x2215dd60, __in_chrg=<optimized out>) at C:\krita-win\src\plugins\dockers\palettedocker\palettedocker_dock.cpp:148
#1  0x00007ffad6bb592d in PaletteDockerDock::~PaletteDockerDock (this=0x2215dd60, __in_chrg=<optimized out>) at C:\krita-win\src\plugins\dockers\palettedocker\palettedocker_dock.cpp:150
#2  0x00007ffb47996867 in QObjectPrivate::deleteChildren() () from C:\krita-win\i_deps\bin\Qt5Core.dll
#3  0x00007ffb47e312c3 in QWidget::~QWidget() () from C:\krita-win\i_deps\bin\Qt5Widgets.dll
#4  0x00007ffb42606fda in KMainWindow::~KMainWindow (this=0x1fb6b530, __in_chrg=<optimized out>) at C:\krita-win\src\libs\widgetutils\xmlgui\kmainwindow.cpp:349
#5  0x00007ffb18519685 in KisMainWindow::~KisMainWindow (this=0x1fb6b530, __in_chrg=<optimized out>, __vtt_parm=<optimized out>) at C:\krita-win\src\libs\ui\KisMainWindow.cpp:582
#6  0x00007ffb185196fd in KisMainWindow::~KisMainWindow (this=0x1fb6b530, __in_chrg=<optimized out>, __vtt_parm=<optimized out>) at C:\krita-win\src\libs\ui\KisMainWindow.cpp:610
#7  0x00007ffb47999a1a in QObject::event(QEvent*) () from C:\krita-win\i_deps\bin\Qt5Core.dll
#8  0x00007ffb47e3612c in QWidget::event(QEvent*) () from C:\krita-win\i_deps\bin\Qt5Widgets.dll
#9  0x00007ffb47f251eb in QMainWindow::event(QEvent*) () from C:\krita-win\i_deps\bin\Qt5Widgets.dll
#10 0x00007ffb42608eec in KMainWindow::event (this=0x1fb6b530, ev=0x182f2960) at C:\krita-win\src\libs\widgetutils\xmlgui\kmainwindow.cpp:765
#11 0x00007ffb47df7bdc in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from C:\krita-win\i_deps\bin\Qt5Widgets.dll
#12 0x00007ffb47dfec23 in QApplication::notify(QObject*, QEvent*) () from C:\krita-win\i_deps\bin\Qt5Widgets.dll
#13 0x00007ffb184f1e46 in KisApplication::notify (this=<optimized out>, receiver=0x1fb6b530, event=0x182f2960) at C:\krita-win\src\libs\ui\KisApplication.cpp:688
#14 0x00007ffb4796d0d8 in QCoreApplication::notifyInternal2(QObject*, QEvent*) () from C:\krita-win\i_deps\bin\Qt5Core.dll
#15 0x00007ffb47973709 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) () from C:\krita-win\i_deps\bin\Qt5Core.dll
#16 0x000000006a8fe90e in qwindows!qt_plugin_instance () from C:\krita-win\i_deps\plugins\platforms\qwindows.dll
#17 0x00007ffb479c814a in QEventDispatcherWin32Private::sendTimerEvent(int) () from C:\krita-win\i_deps\bin\Qt5Core.dll
#18 0x00007ffb9cc85c0d in USER32!CallWindowProcW () from C:\WINDOWS\System32\user32.dll
#19 0x00007ffb9cc85602 in USER32!DispatchMessageW () from C:\WINDOWS\System32\user32.dll
#20 0x00007ffb479c75eb in QEventDispatcherWin32::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from C:\krita-win\i_deps\bin\Qt5Core.dll
#21 0x000000006a8fe8f5 in qwindows!qt_plugin_instance () from C:\krita-win\i_deps\plugins\platforms\qwindows.dll
#22 0x00007ffb4796b8ff in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from C:\krita-win\i_deps\bin\Qt5Core.dll
#23 0x00007ffb47974b77 in QCoreApplication::exec() () from C:\krita-win\i_deps\bin\Qt5Core.dll
#24 0x0000000140006e90 in main (argc=<optimized out>, argv=0x2946c70) at C:\krita-win\src\krita\main.cc:594
Comment 5 Bug Janitor Service 2020-06-25 01:40:42 UTC
A possibly relevant merge request was started @ https://invent.kde.org/graphics/krita/-/merge_requests/396
Comment 6 amyspark 2020-06-25 13:53:33 UTC
Git commit 84c95ef6c50d7ddea6cfbec643476077f5f2ea19 by L. E. Segovia.
Committed on 25/06/2020 at 13:38.
Pushed by lsegovia into branch 'master'.

419140 Fix use-after-free in the resource server

Sometimes (under Windows), the main window (and the palette docker)
gets destroyed before the palettes' resource server. Since the docker
does not remove itself as an observer in its destructor, the resource
server will do it on destruction -- thus trying to access a long dead
object.

It is interesting to see that this use-after-free happens:

- 100% reliably on Windows only
- and, to the best of my knowledge, with debug builds.
CCMAIL: kimageshop@kde.org

(cherry picked from commit 4cf116cbe65901146edc4c0de5a6d62a89c41172)

M  +4    -1    plugins/dockers/palettedocker/palettedocker_dock.cpp

https://invent.kde.org/graphics/krita/commit/84c95ef6c50d7ddea6cfbec643476077f5f2ea19